Abstract
On the surface, large data centers with about 100,000 stations and nearly a million routing rules are complex and hard to verify. However, these networks are highly regular by design; for example they employ fat tree topologies with backup routers interconnected by redundant patterns. To exploit these regularities, we introduce network transformations: given a reachability formula and a network, we transform the network into a simpler to verify network and a corresponding transformed formula, such that the original formula is valid in the network if and only if the transformed formula is valid in the transformed network. Our network transformations exploit network surgery (in which irrelevant or redundant sets of nodes, headers, ports, or rules are ``sliced'' away) and network symmetry (say between backup routers). The validity of these transformations is established using a formal theory of networks. In particular, using Van Benthem-Hennessy-Milner style bisimulation, we show that one can generally associate bisimulations to transformations connecting networks and formulas with their transforms. Our work is a development in an area of current wide interest: applying programming language techniques (in our case bisimulation and modal logic) to problems in switching networks. We provide experimental evidence that our network transformations can speed up by 65x the task of verifying the communication between all pairs of Virtual Machines in a large datacenter network with about 100,000 VMs. An all-pair reachability calculation, which formerly took 5.5 days, can be done in 2 hours, and can be easily parallelized to complete in
- S. Aggarwal, R. Kurshan, and K. Sabnani. A calculus for protocol specification and validation. Protocol Specification, Testing, and Verification, 3(1), 1983.Google Scholar
- C. J. Anderson, N. Foster, A. Guha, J.-B. Jeannin, D. Kozen, C. Schlesinger, and D. Walker. NetKAT: semantic foundations for networks. In POPL, 2014. Google Scholar
Digital Library
- M. A. Armstrong. Groups and Symmetry. Springer, 1988.Google Scholar
Cross Ref
- S. Arun-Kumar. On bisimilarities induced by relations on actions. In SEFM, 2006. Google Scholar
Digital Library
- N. Bjørner, G. Juniwal, R. Mahajan, S. A. Seshia, and G. Varghese. ddnf: An efficient data structure for header spaces. Technical report, Microsoft Research, November 2015. URL http://research. microsoft.com/apps/pubs/default.aspx?id=258188.Google Scholar
- E. M. Clarke, T. Filkorn, and S. Jha. Exploiting symmetry in temporal logic model checking. In CAV, 1993. Google Scholar
Digital Library
- E. Emerson and A. Sistla. Symmetry and model checking. Formal Methods in System Design, 9(1-2):105–131, 1996. Google Scholar
Digital Library
- E. A. Emerson and A. P. Sistla. Symmetry and model checking. In CAV, 1993. Google Scholar
Digital Library
- C. Flanagan and S. Qadeer. Thread-modular model checking. In SPIN, 2003. Google Scholar
Digital Library
- A. Fogel, S. Fung, L. Pedrosa, M. Walraed-Sullivan, R. Govindan, R. Mahajan, and T. Millstein. A general approach to network configuration analysis. In NSDI, 2015. Google Scholar
Digital Library
- N. Foster, D. Kozen, M. Milano, A. Silva, and L. Thompson. A coalgebraic decision procedure for NetKAT. In POPL, 2015. Google Scholar
Digital Library
- M. Hasegawa. Models of Sharing Graphs: A Categorical Semantics of let and letrec. PhD thesis, University of Edinburgh, 1997.Google Scholar
- M. Hasegawa, M. Hofmann, and G. Plotkin. Finite dimensional vector spaces are complete for traced symmetric monoidal categories. In Pillars of Computer Science: Essays Dedicated to Boris (Boaz) Trakhtenbrot on the Occasion of His 85th Birthday, pages 367–385. Springer Berlin Heidelberg, 2008. Google Scholar
Digital Library
- N. Ip and D. Dill. Better verification through symmetry. Formal Methods in System Design, 9(1), 1996. Google Scholar
Digital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: static checking for networks. In NSDI, 2012. Google Scholar
Digital Library
- P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In NSDI, 2013. Google Scholar
Digital Library
- A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veri-Flow: verifying network-wide invariants in real time. In NSDI, 2013. Google Scholar
Digital Library
- J. F. Kurose and K. Ross. Computer Networking: A Top-Down Approach Featuring the Internet. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2nd edition, 2002. ISBN 0201976994. Google Scholar
Digital Library
- Z. Li, M. Liang, L. O’Brien, and H. Zhang. The cloud’s cloudy moment: A systematic survey of public cloud service outage. International Journal of Cloud Computing and Services Science (IJCLOSER), 2(5):321–331, 2013.Google Scholar
- N. P. Lopes, N. Bjørner, P. Godefroid, K. Jayaraman, and G. Varghese. Checking beliefs in dynamic networks. In NSDI, 2015. Google Scholar
Digital Library
- B. Lubachevsky. An approach to automating the veri cation of compact parallel coordination programs. Acta Informatica, 21(2), 1984. Google Scholar
Digital Library
- H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. B. Godfrey, and S. T. King. Debugging the data plane with Anteater. In SIGCOMM, 2011. Google Scholar
Digital Library
- R. Majumdar, S. D. Tetali, and Z. Wang. Kuai: A model checker for software-defined networks. In FMCAD, 2014. Google Scholar
Digital Library
- R. Milner. Communication and Concurrency. Prentice-Hall, 1989. Google Scholar
Digital Library
- R. Milner. The Space and Motion of Communicating Agents. Cambridge University Press, 2009. Google Scholar
Digital Library
- C. Monsanto, N. Foster, R. Harrison, and D. Walker. A compiler and run-time system for network programming languages. In POPL, 2012. Google Scholar
Digital Library
- T. Nelson, A. D. Ferguson, M. J. G. Scheer, and S. Krishnamurthi. Tierless programming and reasoning for software-defined networks. In NSDI, 2014. Google Scholar
Digital Library
- D. Sangiorgi. On the origins of bisimulation and coinduction. ACM Trans. Program. Lang. Syst., 31(4):15:1–15:41, May 2009. Google Scholar
Digital Library
- R. E. Tarjan. Efficiency of a good but not linear set union algorithm. J. ACM, 22(2):215–225, 1975. Google Scholar
Digital Library
- H. Yang and S. Lam. Real-time verification of network properties using atomic predicates. In ICNP, 2013.Google Scholar
Cross Ref
- H. Zeng, P. Kazemian, G. Varghese, and N. McKeown. Automatic test packet generation. In CoNEXT, 2012. Google Scholar
Digital Library
- S. Zhang and S. Malik. SAT based verification of network data planes. In ATVA, 2013.Google Scholar
Cross Ref
- S. Zhang, S. Malik, and R. McGeer. Verification of computer switching networks: An overview. In ATVA, 2012. Google Scholar
Digital Library
Index Terms
Scaling network verification using symmetry and surgery
Recommendations
A General Approach to Network Configuration Verification
SIGCOMM '17: Proceedings of the Conference of the ACM Special Interest Group on Data CommunicationWe present Minesweeper, a tool to verify that a network satisfies a wide range of intended properties such as reachability or isolation among nodes, waypointing, black holes, bounded path length, load-balancing, functional equivalence of two routers, ...
Validating datacenters at scale
SIGCOMM '19: Proceedings of the ACM Special Interest Group on Data CommunicationWe describe our experiences using formal methods and automated theorem proving for network operation at scale. The experiences are based on developing and applying the SecGuru and RCDC (Reality Checker for Data Centers) tools in Azure. SecGuru has been ...
Scaling network verification using symmetry and surgery
POPL '16: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesOn the surface, large data centers with about 100,000 stations and nearly a million routing rules are complex and hard to verify. However, these networks are highly regular by design; for example they employ fat tree topologies with backup routers ...






Comments